Thanks for that link, it was very helpful. It looks like my answer was buried deep within it. That link has 1 subtle difference from what I did which is to run openssl rehash on the directory containing the crl as the final step. This creates a hashed filename linking to the crl and THAT is what openssl is looking for. The documentation for set_crl_directory does say it will "read all hashed x.509 CRL files", but what it fails to mention is that the filename also has to be hashed with openssl rehash. That readme link should also probably mention the same as it doesn't explain why it's running openssl rehash at the end, nor is it obvious.
On Sunday, February 11, 2024 at 6:17:10 PM UTC-5 Andrey Ermolov wrote: > Hello Tim, > > Could you provide more information about your setup, like grpc stack > (C++/Go), grpc version, how CRLs are generated, etc? > In general, I'd like to encourage you to take a look how updated CRL > functionality is organized and test certs/CRLs are generated for it (C++) - > https://github.com/grpc/grpc/blob/master/test/core/tsi/test_creds/crl_data/README > On Friday, February 9, 2024 at 7:09:39 PM UTC-5 Tim wrote: > >> I'm trying to use a CRL to revoke a certificate. I've generated the CRL >> and verified the cert is revoked with 'openssl verify -crl_check ...' and >> it correctly outputs the cert is revoked. >> >> When I call options.set_crl_directory with the absolute path to the >> directory the crl is in, when I connect I just get the log "Certificate >> verification failed to find relevant CRL file." and allows the connection >> to succeed. >> >> I have the CRL in both PEM and DER formats in the directory. Does the >> file have to be a certain name in order for gRPC to find it? Or is there >> some other reason it can't find it? >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ea260402-f17f-4330-a462-58dd3045689fn%40googlegroups.com.
